Checks whether the policies that are attached to each RAM user include specified high-risk permissions. If not, the evaluation result is Compliant.
Scenarios
This rule applies when you need to grant permissions to each RAM user based on the principle of least privilege (PoLP). This prevents security risks that may occur due to excessive permissions.
Risk level
Default risk level: medium.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If the policies that are attached to each RAM user exclude specified high-risk permissions, the evaluation result is Compliant.
- If the policies that are attached to each RAM user include specified high-risk permissions, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | ram-user-specified-permission-bound |
| Rule identifier | ram-user-specified-permission-bound |
| Tag | RAM and User |
| Automatic remediation | Not supported |
| Trigger Type | Configuration change and periodic execution |
| Evaluation frequency | Interval of 24 hours |
| Supported resource type | If you use a RAM user, perform the following steps to obtain an O&M token: |
| Input parameter | ActionNote Separate multiple values with commas (,).
|
Incompliance remediation
Revoke high-risk permissions from a RAM user. For more information, see Remove permissions from a RAM user.